For security professionals, Mirai has become a household name. It’s the now-infamous malware that hackers use to absorb hundreds of thousands of connected devices – from routers, to DVRs, IP cameras and other gadgets – into giant armies.
Mirai was the malware that last year powered an attack on the domain name system provider Dyn. Such attacks are now classified under the moniker or “botnet” Distributed Denial of Service (DDoS) attacks.
Their high-strength attacks have a devastating impact: flooding web servers and hauling companies offline, causing untold financial and reputational damage.
Many security pros are now understandably worried that botnet DDoS attacks will only become more common, and more vicious. The so-called Internet of Things (IoT) is gathering momentum, and an increasing number of connected devices are entering our daily lives (think of connected homes, connected cars, and smart factories, for example).
Will this create fertile terrain for botnet DDoS attacks to grow in scale? What does the future hold for this area of cyber-crime?
Spawning a Mirai Windows variant
While it was created as Linux-based malware that infected IoT devices only running Linux systems, analysts point to a dangerous new Windows variant. Still seemingly in its infancy, the Windows version hasn’t yet caused the kind of damage that propelled Mirai to dubious fame. But it does open the door to the possibility that Windows systems could be infected and weaponised for DDoS attacks.
Reflection and amplification
In traditional DDoS attacks, attackers augment their efforts with either reflection (spoofing a packet’s source address) or amplification (the ability to send a small packet to a server and get back a large response). While the first-generation Mirai IoT botnets didn’t leverage these tactics, reflection or amplification seems like a logical next step. We’ve already seen Mirai source code that can effectively spoof source addresses.
When analysing the most serious, monster-sized DDos attacks, two trends become patently clear: the world’s biggest attacks are getting bigger each year, and there is a lot more of them. Arbor’s Annual Worldwide Infrastructure Security Report showed 558 attacks of over 100 Gbps in 2016 (as opposed to 223 in 2015). IoT botnet attacks have the potential to blow even these numbers completely out of the water. October 2016’s Dyn attack may have involved as many as 100,000 malicious endpoints – combining to create phenomenal attack strength.
What makes Mirai so effective is its ability to morph into new forms, to self-learn and self-perpetuate in a highly dynamic fashion. It has essentially been created as a continually-updating platform that is able to add new features over time (rather than malware for a single, once-off attack). Like a biological organism, it is mutating – enabling it to hijack new types of devices, penetrate more device password variants, and evolve in other unpredictable ways.
Arbor’s tracking has already noted that many DDoS attacks are aimed at ransoming the victim (ordering them to pay a fee in order to get their services back up and running). But some analysts are also predicting that ransomware tactics may be directed at the owners of connected IoT devices as well. Could ransomware authors start pointing their efforts at the owners of millions of webcams, routers and fridges, trying to hold them ransom while taking these devices off-line or stealing any data held within?
While these trends and predictions are a worrying window on the future, there’s an alternative future that may in fact diminish the power of IoT botnet DDoS attacks.
It seems that different criminal groups are warring over resources – even turning their DDoS attack methods on each other at times! This continued infighting between those that are clamouring for the compromised devices available may dilute the effect of any one attacker, or any one attack.
However, we certainly don’t recommend that local organisations hold out for this ‘alternative ending’. In all likelihood, the coming years will see an aggressive increase in botnet DDoS attacks, requiring organisations to deploy first-rate, professional DDoS mitigation solutions.
For more information about Arbor in Africa, please contact Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks, at firstname.lastname@example.org.